2014-05-14 - RIG EK FROM 141.101.116.240 - ALTERBEE.CF

ASSOCIATED FILES:

NOTES:

MY BLOG ENTRIES SO FAR ON RIG EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

RIG EK - HTTP GET REQUESTS TO ALTERBEE.CF TO GET ALL THE EXPLOITS:

NOTE: The line marked [!] is where the malware payload was finally delivered.

POST-INFECTION TRAFFIC CAUSED BY THE MALWARE:

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-05-14-Rig-EK-silveright-exploit.xap
File size:  13.9 KB ( 14203 bytes )
MD5 hash:  2c1d7f916411b3abdec8f1e5eb353c22
Detection ratio:  5 / 52
First submission:  2014-05-14 05:24:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6db267ccdab3e3a90ae642fa1ec4e299bc7e4ed72c4cd5c2c441c77f2ae21a75/

 

JAVA EXPLOIT

File name:  2014-05-14-Rig-EK-java-exploit.jar
File size:  19.4 KB ( 19836 bytes )
MD5 hash:  9c6317f0c22b0782fac5858d0c4c4886
Detection ratio:  6 / 52
First submission:  2014-05-12 23:55:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6807113bab474e66a490a16a19a04524966bdadbbc625dbde0217e84c542dc8f/analysis/

 

FLASH EXPLOITS

File name:  2014-05-14-Rig-EK-flash-swf-exploit.swf
File size:  6.1 KB ( 6232 bytes )
MD5 hash:  40fd69626f5248012b6d5bd2e4d2fc9b
Detection ratio:  0 / 53
First submission:  2014-05-12 15:49:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/47be7f7ecf4383014b26e155385bdb3150949a3e7d57b9c4a4bc27cfd4a71ab7/analysis/

File name:  2014-05-14-Rig-EK-flash-swfIE-exploit.swf
File size:  5.8 KB ( 5981 bytes )
MD5 hash:  65aff3a3774298b3ed5ba2c43f8a1979
Detection ratio:  0 / 53
First submission:  2014-05-12 23:57:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d196e1c8235bb0bebd79b28cc73e63f4481cab58e2f1c3743a54fd880109abc/analysis/

 

MALWARE PAYLOAD

File name:  2014-05-14-Rig-EK-malware-payload.exe
File size:  138.5 KB ( 141836 bytes )
MD5 hash:  4bbfa7bd5214e58f2b5bf8b829ac0445
Detection ratio:  2 / 53
First submission:  2014-05-14 05:31:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8e53b1ce95c600d9f8b235bdaf02b5cbe91bd884dc0eb0df30a5fb16bbeec1a/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Iframe in page from compromised web server points to adv-inc-net.com/trackingcode/tracker.html:

 

First redirect from adv-inc-net.com/trackingcode/tracker.html points to peterjarvisphotography.com:

 

Second redirect from peterjarvisphotography.com points to the Rig EK domain on alterbee.cf:

 

The rest of the Rig EK traffic is similar to my previous blog entries on 2014-05-07 (link) and 2014-05-10 (link).

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.